Hacker News new | past | comments | ask | show | jobs | submit login
Orange Livebox ADSL modems are leaking their WiFi credentials (badpackets.net)
148 points by bad_packets on Dec 23, 2018 | hide | past | web | favorite | 61 comments

Archive: https://web.archive.org/web/20181223120225/https://badpacket...

I have one of these routers, excuse me while I panic/check the vulnerability.

Edit: Checked. It sure leaks the password in plaintext to a simple curl call. I have no words.

Any patch available beyond making your box unavailable to the internet?

OpenWRT seems to be an option if it's Livebox 2.1 or earlier.

Well, an option if you don't mind losing ADSL(1) and wifi from your ADSL router.

(1) It's not clear: the docs mention an Annex working but it's not the same as the one the hardware provides?

Apparently, not really news. Here's a blog post from 2015: http://tecnicaquilmes.fullblog.com.ar/analizando-el-livebox-...

"get_getnetworkconf.cgi -> Another very funny one that gives us the WIFI password without the need for authentication."

It lists several other issues, as well as the default admin login.

Yeah, but that was in Mexican... noone cared about reading that.


Remember when completely open WiFi everywhere (no password, just connect and get Internet) was the norm? One of the famous professionals in the security industry even bragged about it:


Too bad everything seems to be locked down in the name of security these days, and even the slightest gaps seem to cause a lot of panic. I miss those days of essentially free Internet everywhere...

I suspect copyright craziness has hindered this as well. Even if you have a separate VLAN for your open WiFi, I can torrent a movie and get the RIAA/MPAA chasing you.

In fact, the primary motivation of locking down an AP with a WPA password, from an infosec perspective, was NOT ABOUT stop people from using free Internet connection, BUT to harden against the technical limitation of WPA/WPA2 - the protocol, by design, CANNOT offer encryption on an open network, widespread usage of SSL/TLS was only a recently development, it used to be that you cannot run a open AP without COMPLETELY COMPROMISE EVERYONE's security and privacy on your network, INCLUDING YOUR OWN. The better way of doing it, is creating a separate AP, setting up a password and showing it publicly, then the attacker at least needs to intercept an individual handshake before being able to decrypt a portion of traffic. The even better way is WPA-Enterprise, but... In short, the Wi-Fi standard itself unnecessarily forces everyone to make a hard choice between security and openness.

Fortunately, and hopefully, the awakened situation is going to be solved, WPA3 supports encryption on an open AP. Also, WPA3 offers forward secrecy, the traffic cannot be decrypted by passive monitoring unless the attacker is also a Man-in-the-Middle.

BTW, as tyingq said, copyright is a factor, but I think laws in generally are a bigger problem. Under the laws of many jurisdictions, the Wi-Fi user may be responsible for all the legal consequences of other people who is using his/her Wi-Fi. Routing the guest AP over an anonymous VPN connected via Tor may be a solution to the legal challenge, but a legal issue needs a real legal solution.

If you are interested in sharing your Wi-Fi, read https://openwireless.org/

I still do this. But the open wifi is on a separate vlan, and everything is bandwidth limited and routed down a public VPN service. I've never had any problems.

I strongly believe in internet access as a human right.

Care to share how did you achieve this / setup?

It's actually quite easy, if you don't need more than 20 Mbps, you can use any mt76x8 TP Link router with OpenWRT, OpenVPN and SQM and a separate router for wifi (because OpenWRT WiFi support is broken for months on the mt76 driver). I'd consider doing this, but my Internet is capped so I don't want :/ If I upgrade to the unlimited package I will definitely open a hotspot with 10/2 Mbps internet for free to help out people :)

Ubiquiti access points and switches, pfSense router.

It's quite interesting to me to see something like this here. A few years back (turn of the decade) I discovered a similar problem in the equipment of a fairly large ISP, albeit a little bit more serious (think root access). Their fix was to put that port behind a whitelist, with the only IP address able to access it remotely belonging to the ISP.

The problem is, this is one of those ISPs that have an extra SSID on their CPEs for "free" internet, think Xfinity, but this wasn't Comcast, and this vulnerability stems from an HTTPd misconfiguration, so if you can access the equipment's HTTPd (all you need to do is a single, unauthenticated request, so, really any access will do), you've got full access.

I went through some trouble to contact, via third parties, an insider at this ISP with the power to get things fixed - they did fix the remote part (via the aforementioned firewall whitelisting), but I was told, in no uncertain terms, that they didn't care enough to fix the root of the issue, as long as it wasn't massively exploitable, and it wasn't public.

I like my freedom/money too much to publicize details, and so it's still there, all these years later. I wonder how many vulnerabilities like this are out there, fully known by the vendors/providers, but nothing gets done about them because people are too scared to disclose, until eventually someone comes along and blows the whistle, or the equipment is obsoleted?

Doing some anonymous disclosure wouldn't be an option? All their users should know about how their provider treats security issues. We cannot choose with our wallets if we don't have the information to make an informed decision...

ISP provided modem/router is a joke, they just order from cheap vendors in China and make brand names for themselves. Usually it's so bad at firmware and software, and no security practices in mind.

A pure DSL/cable/fiber-optics modem is relatively okay, assuming it's a sane unit, it only does modulation-demodulation on Layer-1/2 with little attack surface. The bad thing is nowadays they usually came from the ISP as a modem/router combined unit, and neither the performance nor security is ideal.

I always see an ISP-provided router as a hazardous & untrusted device. If it offers bridged PPPoE, I would configure it so it works as a pure modem, even it means breaking into the telnet console. Otherwise, I would rather put my own router behind it, double-NAT and firewall it out of my own network.

In Germany, the Choice and Connection of Telecommunication Terminal Devices Act have been passed with the support of free and open source community, which ensure a user can use their own router to connect a broadband network.


If you live in/know about Germany, could you suggest a good alternative to the Kabel Deutschland basic CBN router? I have no clue how the registration to the network would work if I buy a third party router connected directly to my cable input.

You can register the modem via a web portal during the first connection. After a few days you get the activation code via snail mail. But third party cable modems are expensive in Germany. You can also use the provided modem in bridge mode and use a better router behind hit.

That works with KD? Fking unitymedia removed bridge mode from their firmware. :(

I recommend the bridge mode + a better router solution.

We got a DSL login per email a few weeks before the connection became active. Went to the router's admin panel and filled them in under "Internet connection". Once the link came up, Internet worked.

> it only does modulation-demodulation on Layer-1/2 with little attack surface

The simplest of them have a webinterface. If that's leaky, there goes the whole thing because any website can try to connect to it.

Well, sure, but it depends, in practice the security risk is smaller.

I've seen many modems with a web interface, but it's often not routable to the public Internet in actual use, as the connection was bridged and the job of getting a public IP has been delegated to the PPPoE connection on the router behind it (You need to add another network interface, assign a IP address on your router inside the LAN segment under the control of the modem to reach it).

Some modems have a management link, it can be described as an universal ISP backdoor, only reachable in the ISP's LAN.

But in both cases, it's still better than a modem/router combined unit.

In Orange case, I opened a previous livebox model and it was built by Sagem. The board also looked to be nice grade PCB manufacturing (to my noobish eyes at least, but you can tell by the materials, sturdiness, layout etc that it's not the cheapest by far).

Maybe they went for offshort design/manufacturing, that's plausible since most box~ are now mediacenters so basically 80% like any internet tv box on ebay.

Most of the various Livebox versions have been made by Sagem, I believe, but they have used others as well, such as Inventel and Thomson.

Don't know how custom the hardware is, but the firmware appears to be.

Can confirm. One of our customers (we're a security firm) was about to ship their modem/router with some firmware on it of chinese origin. The quality of the code (not just security bugs, but just bugs) was astounding. A colleague picked three lines of code at random, not even looking for a particularly bad part, to explain how this had multiple vulnerabilities. He identified four at first glance. Upon reviewing the report internally, we found two more. Six security vulns in three random lines of code. It was truly astounding.

Lots of them were mitigated due to other bugs preventing you from actually reaching the code when you pass funny input, or the code turns out to be unused (random unused code in your binaries is a big code smell). It was functional: they clearly made sure it all worked. But if you would try to do anything outside of the happy flow, it would bug. The customer also had quite a fight over getting the source code (instead of binaries) in the first place.

In the US, the major players use Arris Modems and Gateways.

Though not technically a leak, Verizon's FiOS routers report your current WIFI password to Verizon (not just the default the router ships with), presumably for customer support reasons.

I didn't expect it to do that, so that was a bit of a surprise.

So that means Verizon is responsible when someone is found sharing copyrighted materials using your connection?

That is pretty standard for any ISP that uses ACS. It allows a tech op to manage the router remotely, which is something most customers both demand and hate.

Why would the tech need the local WiFi password in order to remotely manage the router?

One of the most common problems in ISP customer support is customers changing their default WiFi password (good) but forgetting it (bad). Then their laptop crashes and they need their replacement laptop to connect to the WiFi.

This is also the moment a customer will straight up deny the existence of ethernet cables or claim to have never heard of any Internet-related device that does not use WiFi.

To satisfy these customers, you need to be able to either read out the WiFi password or have some way to push a new one. As it's just plain easier to just allow full-on access to the modem GUI for their customer service agents, it's often possible to read any passwords or settings from the help desk.

I would not expect my ISP to have access to my plaintext WIFI password. The ISP agent should either be able to push a new WIFI password via the internet link (in a secure authenticated manner) or ask the customer to hold a button on the device to reset it to its default password.

You have high expectations. I would never run a WiFi hotspot configured by my ISP.

I found a pretty bad exploit of the Livebox 1.1 back in 2012. I was trying to find a way to replace the shipped firmware by OpenWRT. Never heard back from Sagem/Orange but the vuln was quietly fixed in a later release. I never knew if they never acknowledged it on purpose or fixed it by accident! Funny to see this on HN. Brings back good memories.

Searching for the vulnerability address one can find this from 2012 in fact: https://www.heyrick.co.uk/blog/index.php?diary=20120905&keit...

Cool find! But this for the Livebox 2 (newer version), my "work" was on the Livebox 1.1 (:

I shall write something about it one day, just to immortalize it!

This is why you should always put a reputable router+WAP in front of the ISP supplied modem.

Do you mean behind the ISP modem, or are you looking at the direction in reverse? I’ve always used “in front” to mean between the wall and the modem. This is typically not possible because many providers in the US—e.g., AT&T—expect their box to be first from the wall with certs that authenticate a connection to their network. Thus, using a router that’s under your control requires placing it after the ISP’s modem/gateway (which always meant behind to me).

Additionally, buy your own modem and save (a lot of) money by not leasing it forever from the ISP.

See the point is, going for pure modem means you have to deal with all the VoIP crap too. I'm on VDSL currently and after checking the prices of VDSL modems and reading up on what I'd need to get VoIP running with my DECT phone I went like "screw this" and decided to rent their shitty device for two bucks a month.

Ah, I only use their internet/tv services so I only needed to worry about the cablemodem and dvr (a free cablecard from them decrypts tv so you can use your own "tivo like device"). I purchased my equipment about 5 years ago for about $100 and don't rent/lease any of their gear. It's saved quite a bit over the years.

I change plans every two years. It's ridiculous how much of a discount you get if you are a new customer and sign up for two years. Currently I'm paying 15€ for 25m/7m. After two years it would increase to 25 iirc. That's on VDSL. Before that I was on cable (120m/6m) for 18€ and it would have been 39€ after those two years. It's not that I'm that poor but it just feels like they shit on their customers once they've been acquired.

Related issue: my ISP uses as default wifi password part of the router's MAC address... It could be the kind of problem described in the article - but the site seems down.

A little bit off topic. I find out about this because I set up some Google alerts some time ago for the brands of my network hardware. I'm now at my parents for the holidays and I would miss this news if I hadn't received the email alert.

I remember supporting these modems in The Netherlands in 2010, when some of them were already 5 years old. So basically, it’s an almost 14 year old design...I’m really surprised people still have these things in active use.

Anyone able to access the site? DDoSd for me. Perhaps post a text snapshot here until they get it back up? I tweeted Troy to let them know.

This would be completely mitigated by rolling out CG-NAT for all customers. Orange Espana has been working on this for their fibre customers (I think almost all of them are behind CG-NAT already), but ADSL customers are still waiting for it.

Well, except for attackers behind the CG-NAT.

Also, CG-Nat is a HORRIBLE technology that causes lots of problems for subscribers all fo the sake of allowing an ISP to sell their IPV4 space off at a premium and pump up their numbers if a quarter demands it.

I'm with Virgin cable in the UK and they are going to IPv6 soon ... but with DS-Lite, so CG-NAT for IPv4 (yay, I can't connect back to my home VPN if I'm on an IPv4 only network) but native IPv6 (sort of yay).

You then also have the issues with online services, IP bans etc. etc. etc.

CG-NAT is nothing to be cheered on, and is worse than useless for "security".

Is that definite on Virgin? Seems uncertain still...

It's the method LG have decided on for all their cable networks, and according to this presentation from earlier this month, it's still the plan (and let's face it, if they changed to dual stack now it would take them another 4+ years to get it rolled out ... snails have NOTHING on the LG network operations team): https://www.ipv6.org.uk/wp-content/uploads/2018/11/LG-Virgin...

It is not reasonable to apply "carrier-grade NAT" to residential internet connections.

I'm paying for internet service, I don't want some locked-down system that can't receive inbound connections.

I specifically requested (and got) to be outside their CG-NAT. It worked horribly (the ports got reset every other day, and some other customer could have taken the port you wanted at that point) and some applications with ports hardcoded over number 2000 did not work. People with PPTP VPNs could not use them anymore. Plus, enjoy getting banned from things because you share your IPv4 with plenty of strangers.

You specifically requested to be outside their CGNAT, and now look at your CPE, wide open to the WAN.

"Orange's CGNAT, at least better than our compromised CPE" is certainly catchy PR.

Ehm, what?

So you trust the ISP to implement CG-NAT properly when they can’t manage to secure a simple CPE router?

This is possibly the worst reason I’ve ever heard of for CG-NAT.

CG-NAT has so many issues for consumers that will end up hoisted onto other services/applications support departments. The internet is not a one way street and there are many legitimate reasons for listening ports that I’m surprised anybody would push for CG-NAT.

I can’t even imagine trying to be get through to an ISP to fix their CG-NAT issue. It’s hard enough to get them to fix routing issues without being established on an industry mailing list or having an existing contact.

Nobody wants the AOL internet of yesteryear and IMO CG-NAT is just a step in that direction.

What you're really asking for is carrier-grade stateful firewalls. It just so happens that NAT has a firewall-like effect, along with lots of issues for peer to peer applications (something obscure called Skype used to do that, among others) and power users. NAT is not a solution but a problem.

Your argument is as bad as saying: "Well, that could be mitigated by not having internet"

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact